Encryption and Firewalls

1
Encryption and Firewalls

• Chapter 7

2
Learning Objectives

• Understand the role encryption plays in firewall
  architecture
• Know how digital certificates work and why they
  are important security tools
• Analyze the workings of SSL, PGP, and other
  popular encryption schemes
• Enable Internet Protocol Security (IPSec) and
  identify its protocols and modes

3
Encryption

• Process of encoding and decoding information to
• Preserve its integrity
• Maintain privacy
• Ensure identity of users participating in the
  encrypted data session

4
Why Firewalls Need to Use Encryption

• Hackers take advantage of a lack of encryption
• Encryption
• Preserves data integrity
• Increases confidentiality
• Is relied upon by user authentication
• Plays a fundamental role in enabling VPNs

5
Hackers Take Advantage of a Lack of Encryption
6
Hackers Take Advantage of a Lack of Encryption
7
The Cost of Encryption

• CPU resources and time
• Bastion host that hosts the firewall should be
  robust enough to manage encryption and other
  security functions
• Encrypted packets may need to be padded to
  uniform length to ensure that some algorithms
  work effectively
• Can result in slowdowns
• Monitoring can burden system administrator

8
Preserving Data Integrity

• Even encrypted sessions can go wrong as a result
  of man-in-the-middle attacks
• Encryption can perform nonrepudiation using a
  digital signature

9
Maintaining Confidentiality

• Encryption conceals information to render it
  unreadable to all but intended recipients

10
Authenticating Network Clients

• Firewalls need to trust that the persons claimed
  identity is genuine
• Firewalls that handle encryption can be used to
  identify individuals who have digital ID cards
  that include encrypted codes
• Digital signatures
• Public keys
• Private keys

11
Enabling VPNs

• As an integral part of VPNs, encryption
• Enables the firewall to determine whether the
  user who wants to connect to the VPN is actually
  authorized to do so
• Encodes payload of information to maintain privacy

12
Digital Certificates and Public and Private Keys

• Digital certificate
• Electronic document that contains a digital
  signature (encrypted series of numerals and
  characters), which authenticates identity of
  person sending certificate
• Keys
• Basis of digital certificates and signatures
• Enable holders of digital certificates to encrypt
  communications (using their private key) or
  decrypt communications (using senders public key)

13
Digital Certificates

• Transport encrypted codes (public and private
  keys) through the firewall from one host to
  another
• Help ensure identity of the individual who owns
  the digital certificate
• Provide another layer of security in firewall
  architecture

14
Aspects of Digital Certificates

• Establishment of an infrastructure for exchanging
  public and private keys
• Need to review and verify someones digital
  certificate
• Difference between client- and server-based
  digital certificates

15
The Private Key Infrastructure

• Lightweight Directory Access Protocol (LDAP)
• Publicly available database that holds names of
  users and digital certificates
• Public-Key Infrastructure (PKI)
• Enables distribution of digital certificates and
  public and private keys
• Underlies many popular and trusted security
  schemes (eg, PGP and SSL)

16
Viewing a Digital Certificate
17
Viewing a Digital Certificate
18
Types of Digital Certificates a Firewall Will
Encounter

• Client-based digital certificates
• Obtained by users from a Certification Authority
  (CA), which issues them and vouches for owners
  identity
• Server-based digital certificates
• Issued by a CA to a company that issues them to
  individuals

19
Keys

• Value generated by an algorithm that can also be
  processed by an algorithm to encrypt or decrypt
  text
• Length of the key determines how secure the level
  of encryption is

20
Aspects of Keys That Pertain to Firewall-Based
Encryption

• Public and private keys
• Need to generate public keys
• Need to securely manage private keys
• Need to use a key server either on network or
  Internet
• Differences between private and public key servers

21
Public and Private Keys

• Private key
• Secret code generated by an algorithm
• Never shared with anyone
• Public key
• Encoded information generated when private key is
  processed by the same algorithm
• Can be exchanged freely with anyone online

22
A Public Key Generated by PGP
23
An Encrypted Communication Session
24
Choosing the Size of Keys
25
Generating Keys
26
Managing Keys

• Manual distribution
• Use of a CA
• Use of a Key Distribution Center (KDC)

27
Using a Key Server That Is on Your Network
28
Using an Online Key Server
29
Analyzing Popular Encryption Schemes

• Symmetric key encryption
• Asymmetric key encryption
• Pretty Good Privacy (PGP)
• Secure Sockets Layer (SSL)

30
Symmetric Encryption

• Use of only one key to encrypt information,
  rather than a public-private key system
• Same key is used to encrypt/decrypt a message
• Both sender and recipient must have same key
• Not scalable

31
Symmetric Key Encryption
32
Asymmetric Encryption

• Uses only one users public key and private key
  to generate unique session keys that are
  exchanged by users during a particular session
• Only the private key must be kept secret
• Scales better than symmetric encryption
• Disadvantages
• Slower
• Only a few public key algorithms are available
  (eg, RSA and EIGamal) that are secure and easy to
  use for both encryption and key exchange

33
Asymmetric Key Encryption
34
PGP

• Hybrid system that combines advantages of
  asymmetric (scalability) and symmetric (speed)
  encryption systems

35
PGP

• Process
• File/message is encrypted
• Session key is encrypted using public key half of
  asymmetric public-private key pair
• Recipient of encrypted message uses his/her
  private key to decode the session key
• Session key is used to decode message/file
• Encryption schemes used to generate public and
  private key pairs
• Rivest-Shamir-Adleman (RSA) encryption
• Diffie-Hellman encryption

36
Using PGP
37
Using PGP
38
X.509

• Standard set of specifications for assembling and
  formatting digital certificates and encrypting
  data within them
• A commonly used type of PKI
• Widely used and well trusted

39
X.509 and PGP Compared

• X.509
• Perception of trust
• PGP
• Does not make use of the CA concept
• Gives users ability to wipe files from hard disk
  (and delete permanently)
• Available both in freeware and commercial versions

40
X.509 and PGP Compared
41
SSL

• Secure way to transmit data
• Uses both symmetric and asymmetric keys
• Asymmetric keys start an SSL session
• Symmetric keys are dynamically generated for the
  bulk of the transfer

42
Using Internet Protocol Security (IPSec)
Encryption

• Creates a secure IP connection between two
  computers
• Operates under the Application layer
• Transparent to users

43
Understanding IPSec

• Set of standards and software tools that encrypt
  IP connections between computers
• Allows a packet to specify a mechanism for
  authenticating its origin, ensuring data
  integrity, and ensuring privacy

44
Modes of IPSec

• Transport mode
• Tunnel mode
• Choice depends on type of network and whether it
  uses NAT

45
Transport Mode

• IPSec authenticates two computers that establish
  a connection
• Can optionally encrypt packets
• Does not use a tunnel

46
Tunnel Mode

• IPSec encapsulates IP packets and can optionally
  encrypt them
• Encrypts packet headers rather than the data
  payload
• Incompatible with NAT

47
IPSec Protocols

• Authentication Header (AH)
• Encapsulation Security Payload (ESP)

48
Authentication Header (AH)

• Adds a digital signature to packets to protect
  against repeat attacks, spoofing, or other
  tampering
• Verifies that parts of packet headers have not
  been altered between client and IPSec-enabled
  host
• Incompatible with NAT

49
AH
50
Encapsulation Security Payload (ESP)

• More robust than AH encrypts data part of
  packets as well as the headers
• Provides confidentiality and message integrity
• Can cause problems with firewalls that use NAT

51
Components of IPSec

• Two modes transport and tunnel
• Two protocols AH and ESP
• IPSec driver
• Internet Key Exchange (IKE)
• Internet Security Association Key Management
  Protocol (ISAKMP)
• Oakley
• IPSec Policy Agent

52
Choosing the Best IPSec Mode for Your Organization
53
Choosing the Best IPSec Mode for Your Organization

• ESP plus tunnel mode provides best level of
  protection
• ESP conceals IP header information
• Tunnel mode can both encapsulate and encrypt
  packets

54
Enabling IPSec

• Select group policy security setting for
  computers that need to communicate with enhanced
  security
• Define at group policy level in Windows 2000
• Define at local policy level if not in Windows
  2000
• Predefined IPSec policy levels in Windows 2000 or
  XP
• Client (Respond only)
• Server (Request Security)
• Secure Server (Require Security)

55
Defining IPSec Policy at Local Policy Level
56
Limitations of IPSec

• If machine that runs IPSec-compliant software has
  been compromised, communications from that
  machine cannot be trusted
• Encrypts IP connection between two machinesnot
  the body of e-mail messages or content of other
  communications
• Not an end-to-end security method
• Authenticates machines, not users
• Doesnt prevent hackers from intercepting
  encrypted packets

57
Chapter Summary

• How and why encryption is used in a network
• How to use encryption to complement the
  firewalls activities
• Encryption applications
• PGP
• SSL
• IPSec
• Schemes that can form part of a firewall
  architecture